Okay folks, let's talk about bypassing #SSLPinning in #Android applications.
It's going to be a bit long Twitter 🧵
It's going to be a bit long Twitter 🧵
First, let's talk about SSL Pinning.
It's "pinning" some content of your website's public SSL certificate to your Android app.
It can be hash from your leaf cert, intermediate CA or even root CA.
It's "pinning" some content of your website's public SSL certificate to your Android app.
It can be hash from your leaf cert, intermediate CA or even root CA.
SSL Pinning makes sure that the your Android app is talking to your server over HTTPS.
If you pin the hash of leaf cert, it mitigates your app connecting to any other HTTPS server whose SSL cert is issued by a CA that the device trusts.
If you pin the hash of leaf cert, it mitigates your app connecting to any other HTTPS server whose SSL cert is issued by a CA that the device trusts.
The SSL "pinned" Android app works fine, till the SSL certificate expires. 😱
That's the reason Android docs don't recommend to implement SSL pinning in your apps.
developer.android.com/training/artic…
That's the reason Android docs don't recommend to implement SSL pinning in your apps.
developer.android.com/training/artic…
But wait, at the same time MASVS recommends SSL pinning as an additional defense-in-depth measure.
(Check MSTG-NETWORK-4)
github.com/OWASP/owasp-ma…
(Check MSTG-NETWORK-4)
github.com/OWASP/owasp-ma…
So, if you are pentesting an Android app, which contains sensitive PII, payment info, etc you might come across SSL Pinning.
Bypassing it would be the first step to look at the HTTP calls being made to the target server.
Bypassing it would be the first step to look at the HTTP calls being made to the target server.
Let's try to bypass it step by step.
Note: Don't think you have to follow all steps to bypass SSL pinning.
The steps are set in increasing order of difficulty (to setup tools & bypass) - first being the easiest and last being the most time consuming & difficult.
Note: Don't think you have to follow all steps to bypass SSL pinning.
The steps are set in increasing order of difficulty (to setup tools & bypass) - first being the easiest and last being the most time consuming & difficult.
1. Using a Lower Version of Android
This is easiest way. Try running the app on Android M (API level 23) or below.
If the SSL pinning is implemented using Network Security Config file, the pinning will not work in lower version.
If this doesn't work go to 2nd step, so on.
This is easiest way. Try running the app on Android M (API level 23) or below.
If the SSL pinning is implemented using Network Security Config file, the pinning will not work in lower version.
If this doesn't work go to 2nd step, so on.
2. Modification of Network Security Config (NSC) File
Some Android apps use NSC file to implement SSL pinning and don't allow the app to execute on lower Android versions (like API level >=23).
In such case decompile the apk, modify NSC file and rebuild the apk.
Some Android apps use NSC file to implement SSL pinning and don't allow the app to execute on lower Android versions (like API level >=23).
In such case decompile the apk, modify NSC file and rebuild the apk.
3. JustTrustMe Xposed Module
If recompiling didn't work (maybe because its an app bundle/has tamper protection,etc), then install app on Android emulator/device (with root permissions).
Install Xposed framework and JustTrustMe module. Activate it and start using target app.
If recompiling didn't work (maybe because its an app bundle/has tamper protection,etc), then install app on Android emulator/device (with root permissions).
Install Xposed framework and JustTrustMe module. Activate it and start using target app.
4. Objection
Use objection tool to "patch" the Android app.
It also gives option to bypass SSL pinning (and a bunch of other useful stuff).
Note: Setting up Objection can be a bit tedious process. But it's one time task.
Use objection tool to "patch" the Android app.
It also gives option to bypass SSL pinning (and a bunch of other useful stuff).
Note: Setting up Objection can be a bit tedious process. But it's one time task.
5. Frida Gadget
You can patch the app with Frida Gadget manually or using Objection.
Install the patched app and run frida-multiple-unpinning bypass script.
codeshare.frida.re/@akabe1/frida-…
You can patch the app with Frida Gadget manually or using Objection.
Install the patched app and run frida-multiple-unpinning bypass script.
codeshare.frida.re/@akabe1/frida-…
6. Frida
If patching an apk is hard, you can try setting up Frida server on a rooted Android device/emulator.
Then use the above frida-multiple-unpinning script to bypass SSL pinning.
You might also have to bypass Android app's root detection in this method (if any).
If patching an apk is hard, you can try setting up Frida server on a rooted Android device/emulator.
Then use the above frida-multiple-unpinning script to bypass SSL pinning.
You might also have to bypass Android app's root detection in this method (if any).
7. Taint Analysis using Frida
If none of the above steps worked, then taint analysis is the only way forward.
Decompile app, manually check SSL pinning logic and create a custom Frida script to bypass SSL pinning.
This is a time consuming process & involves trial and error.
If none of the above steps worked, then taint analysis is the only way forward.
Decompile app, manually check SSL pinning logic and create a custom Frida script to bypass SSL pinning.
This is a time consuming process & involves trial and error.
If you have made it this far, then checkout "Ultimate Guide To Android SSL Pinning Bypass"
It contains details on:
- what's SSL pinning
- what's not SSL pinning
- hows it implemented
- how to bypass it
- commands, screenshots and much more...
redhuntlabs.com/ultimate-guide…
It contains details on:
- what's SSL pinning
- what's not SSL pinning
- hows it implemented
- how to bypass it
- commands, screenshots and much more...
redhuntlabs.com/ultimate-guide…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
